Optimal eavesdropping in quantum cryptography. I. 



Christopher A. Fuchs, 1 Nicolas Gisin, 2 Robert B. Griffiths, 3 
Chi-Sheng Niu, 3 and Asher Peres 4 '* 

1 Norman Bridge Laboratory of Physics 12-33, Califòrnia Institute of Technology, 

Pasadena, CA 91125 
2 Group of Applied Physics, University of Geneva, CH 1211 Geneva 4, Switzerland 
3 Department of Physics, Carnegie- Mellon University, Pittsburgh, PA 15213 
4 Institute for Theoretical Physics, University of Califòrnia, Santa Bàrbara, CA 93106 

Abstract 

We consider the Bennett-Brassard cryptographic scheme, which uses two conjugate 
quantum bases. An eavesdropper who attempts to obtain information on qubits sent in 
one of the bases causes a disturbance to qubits sent in the other basis. We derive an upper 
bound to the accessible information in one basis, for a given error rate in the conjugate 
basis. Independently fixing the error rate in the conjugate bases, we show that both 
bounds can be attained simultaneously by an optimal eavesdropping probe, consisting 
of two qubits. The qubits' interaction and their subsequent measurement are described 
explicitly. These results are combined to give an expression for the optimal information 
an eavesdropper can obtain for a given average disturbance when her interaction and 
measurements are performed signal by signal. Finally, the relation between quantum 
cryptography and violations of Bell's inequalities is discussed. 
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I. INTRODUCTION 



In quantum cryptography, individual quanta are prepared in nonorthogonal quantum 
states to encode and carry information about cryptographic keys. In this way, an eaves- 
dropper can acquire information about the key only at the risk of causing a detectable 
disturbance. The oldest and best known cryptographic scheme, BB84, is due to Bennett 
and Brassard p|: the information sender, called Alice, encodes each logical bit, or 1, 
into the linear polarization of a single photon, along one of two conjugate bases of her 
choice, as shown in Fig. 1. The receiver, Bob, measures the polarization of the photon 
in one of the two bases, either xy or uv, randomly chosen by him. Only after that, Alice 
reveals to him the basis she used. This information is sent on a públic channel that can 
be monitored, but not modified, by anyone else. Bob then likewise telis Alice whether he 
used the correct basis. If he did, Alice and Bob know one bit, that no one else ought to 
know. 

After this protocol has been repeated many times, Alice and Bob sacrifice some of 
these secret bits by publicly comparing their vàlues. This gives them an estimate of the 
noise on the channel, which may be due to either natural causes or to the presence of 
an eavesdropper (Eve). In the latter case, the maximal amount of information that Eve 
could have gathered is, in principle, fixed by the laws of quantum mechanics. If Eve's 
information is small enough compared to the noise she has induced, Alice and Bob may 
still be able to use classical methods of privacy amplification [0, [3] in order to reduce Eve's 
information to an arbitrarily small level. It is therefore important to estimate the maximal 
amount of information that Eve may have acquired, for a given error rate observed by 
Bob. 

There are many possible strategies for eavesdropping, some of which have been analyzed 
by other authors. Ekert and Huttner |4]] examined a simple "intercept-resend" method, 
where Eve performs Standard von Neumann measurements. Lütkenhaus f| considered 
the use of positive operator-valued measures (POVM) |j] under the restriction that Eve 
performs her measurements before Alice reveals the basis. Recently, Gisin and Huttner [[/[] 
determined the optimal strategy for an eavesdropper restricted to a two-dimensional probe 
(a single qubit) interacting on line with each transmitted signal, with the probe measured 
after the basis is revealed. These various results, and the optimal ones obtained in the 
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present article, are plotted in Fig. 2. 

The common denominator of all these strategies is that they are restricted to inter- 
actions and measurements on each individual signal sent from Alice to Bob; there are 
no "collective" interactions or measurements on strings of signals, as might be the case if 
Eve were able perform quantum measurements on systems of arbitrary size. Furthermore, 
none of the strategies allow Eve to delay her measurements until the completion of Alice 
and Bob's privacy amplificat ion, and none take into account the information leaked to 
her during the públic communication phase of the protocol. The latter kind of informa- 
tion depends upon which bits are ultimately discarded and upon the specific algorithm 
used in the privacy amplification process. Finally, even within the restrictions set by this 
paradigm, none of the schemes can claim optimality in the sense of specifying the best 
possible ratio between Eve's information gain and her induced disturbance. 

The purpose of this article is twofold. The first is to give a quantitative statement of 
the physical principle responsible for the operation of the BB84 protocol: an eavesdropper 
who attempts to obtain information in one basis causes a disturbance to the conjugate 
basis. The second — more relevant to practical quantum cryptography — is to derive the 
absolute best achievable information an eavesdropper can obtain about a single qubit, for 
a given average error rate caused to the signals. In both these tasks, we again work within 
the paradigm cited above. Namely, we assume that Eve may interact with only one signal 
at a time and may only make measurements on each individual probe. Furthermore, she 
may do this after Alice announces her basis, but before the execution of any error testing 
or privacy amplification protocols. 

From the point of view of ultimate security in cryptography, these restrictions may be 
severe. On the other hand, with respect to experimental science, these assumptions are 
hardly limiting at all. Indeed it is only now becoming possible to make two qubits interact 
with one another in a controlled fashion ||; controllable interactions between three qubits, 
as would be required for the optimal strategy presented here, are still quite some way 
in the future. Finally, though an expression for the tradeoff between information and 
disturbance in a less restrictive scenario may be eminently important for cryptography, 
such a relation — because of its dependence on the details of privacy amplification — cannot 
be fundamental and lies somewhat beyond the scope of bàsic physics. 
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The plan of our paper is as follows. In Sect. 2, we derive a general bound that refers 
to the accessible information in one basis, corresponding to a given error rate in the 
conjugate basis. This is obtained without using any particular model for the eavesdrop- 
ping interaction; the latter is assumed only to be unitary. It had been previously known 
that a four-dimensional probe (that is, one consisting of two interacting qubits) is the 
largest needed for achieving the optimal detection of signals emitted in a two-dimensional 
space ||. There are, however, some cases for which a two-dimensional probe is suffi- 
cient ||. It turns out that, for the BB84 protocol, the bound can only be attained by 
eavesdropping probes consisting of two qubits. The optimal interaction, and the subse- 
quent measurement protocol are described explicitly in Sect. 3. In particular, it is shown 
that, upon independently fixing the error rates in each basis, there is an optimal eavesdrop- 
ping strategy for achieving the two bounds simultaneously. A quantum computational 
circuit representing the optimal strategy is described in the following paper |TÜ | . 

Finally, in Sect. 4, we address issues directly relevant to quantum cryptography by 
constructing the optimal tradeoff relation for Eve's overall accessible information in terms 
of the average error rate for both bases. This is obtained by two methods. The first relies 
on the work of the previous two sections; the second incorporates an argument based on 
a symmetrization technique. Note that both Sect. 2 and 3 concern fundamental physical 
qüestions. The "practically minded" cryptographer need only browse through them, and 
may then proceed directly to Sect. 4 to find results relevant to privacy amplification ||. 
In the concluding remarks we return to fundamental physics by outlining an intriguing 
connection between the optimal information-disturbance tradeoff and a violation of Bell's 
inequality in the Bennett-Brassard-Mermin modification of the BB84 protocol [flT]| . This 
confirms an idea first expressed by Ekert |ï!| and recently made quantitative by Gisin 
and Huttner M. 



II. INFORMATION AND DISTURBANCE IN CONJUGATE BASES 

If Eve performs Standard (von Neumann type) measurements in the xy basis, she does 
not disturb signals sent in that basis, but she disturbs maximally those sent in the uv 
basis, and vice-versa. In this section, it will be shown that, quite generally, Eve's ability 
to obtain partial information on the signals sent in one of the bases is related to the 
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disturbance caused to the signals sent in the other basis. This is relevant to eavesdropping 
on the BB84 protocol because it is the raw physical fact that allows its operation. 

We take the framework for our problem directly from quantum cryptography. In order 
to take advantage of Alice's delayed information on the basis that was used, Eve's optimal 
strategy is the following: she lets a probe, initially in some Standard state |t/>o) 5 interact 
unitarily with the qubit sent by Alice. (There is no loss of generality in this, because any 
physical nonunitary interaction is equivalent to a unitary one with a higher dimensional 
probe). Eve's probe is then stored until Alice announces the basis that was used, and 
only after that is it measured by Eve. 

In a convenient notation, if Alice sends state \x), the result may be written as 

\x) ® |Vo) - \X), (1) 

where \X) is an entangled state of the probe and the photon that Alice sent to Bob. 
Likewise, for the other signals that Alice may send, the results of Eve's intervention are 
entangled states, \Y), \U), and \V). Since the interaction is unitary, it follows from 

\x) = (\u) + \v))/V2 and \y) = (\u) - \v))/y/2, (2) 

that 

\X) = (\U) + \V))/V2 and \Y) = (\U) - \V))/V2. (3) 

Eve's measurement on the probe may be of the Standard type (an orthogonal projection 
valued measure) or, more generally, it may be of the POVM type ||, where the various 
outcomes correspond to a set of positive semi-definite operators that sum to the identity 
operator on the probe's Hilbert space. Since Eve waits until Alice reveals her basis, she 
may choose a POVM {E\} when the xy basis is sent, and a different POVM {F\} when 
the uv basis is sent. 

Note that the interaction of Eve's probe with the qubit sent by Alice to Bob completely 
determines the mean error rate for signals sent in the xy basis and those in the uv basis. 
It also determines Eve's accessible information (i.e., her maximal information) for both 
types of signals. The aim of this section is to show that the accessible information for 
xy signals is simply related to the mean error rate for uv signals, and vice-versa. These 
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mean vàlues are well defined regardless of which signal is sent in any single instance. In 
particular, there is nothing counterfactual about comparing the information in one basis 
with the error rate in the other basis. 

Let us now set about our task. If Alice sent a signal \x), the probability that Eve 
detects outcome À is 



Xx 



(X\1®E X \X), (4) 



and likewise for the other signals. Here, 1 is the identity operator for Alice and Bob's 
qubit. Let pi be the prior probability that Alice sends signal i. The probability that Eve 
gets outcome A when Alice uses the xy basis is thus 

ÇA = P\xPx + P\yPy (5) 

If Eve observes outcome À when she tests her probe, the posterior probability (or likeli- 
hood) Eve assigns signal i is, by Bayes' theorem, 

Qíx = PxiPi/qx- (6) 

How can Eve make use of this result? One possibility is to simply assume that the 
largest one of Q xX and Q yX indicates the signal that was actually sent by Alice. Then, 
the smallest one of Q x \ and Q yX is Eve's expected error rate. A convenient measure of 
her information gain is |TB 



G x = \Q xX -Q yX \. (7) 

For example, this expression would be Eve's expected income, if she were earning one dol- 
lar for each correct guess, and paying one dollar for each incorrect guess. This expression 



is also related in a simple way to Eve's expected error rate |13| in her interpretation of 
the result À, which is \ (1 — G\). 

On average, Eve's information gain (in bits) is 

^2qxG X = ^2\PxxPx~ PxyPyl- (8) 
A A 

If the two signals are equiprobable, Eve's average gain is 

G = 2 \ P *x ~ -^yl' ( 9 ) 

A 



and her expected average error rate is | (1 — G). 

A more sophisticated data processing by Eve is to keep track of all the q x and Qi X of 
her observations. These may then be used to compute her mutual information on Alice's 
message ||. With equiprobable signals, this is given (in nats) by 

/ = ln 2 + ]Tg A £Q a ln Q ïA . (10) 

A i 

This measure of Eve's information is the main concern of this article. However, in the 
following, we shall consider first the simple "information gain" expression (|9]), for which 
a bound is easier to find. This result will then be used to bound the mutual information. 

Let us first consider the case where Alice announced that she had sent a signal in the 
xy basis, and Eve observed outcome A. We then have, from Eqs. (0) and (pi), 

qxG x = \ \P Xx - P Xy \ = l\(X\l ® E X \X) -{Y\l® E X \Y)\. (11) 

This can also be written, thanks to Eq. (§), as 

qxG x = \\{U\l®E x \V) + {V\l®E x \U)\, 

= \Re(U\B u ®E x \V) + Re(U\B v ®E x \V)\, 

< \(U Xu \V Xu )\ + \(U Xv \V Xv )\ (12) 
where B u = \u)(u\ and B v = \v)(v\ are projectors onto Bob's states \u) and \v), so that 

B u + B v = 1, (13) 
and 

\u Xu ) = b u ®Je x \u), \v Xu ) = b u ®Je x \v), 

\U Xv ) = B v ®Je x \U), \V Xv ) = B v ®Je x \V). (14) 

Note that y/E^ is well defined, since E x is a positive semi-definite operator. Of course, 
\fE~x~ can be replaced by E x when E x is a projector. 
The Schwarz inequality implies that 

\{U Xu \V Xu )\ < [(U Xu \U Xu )(V Xu \V Xu }} 1/2 (15) 

with equality if and only if \U Xu ) and \V Xu ) are parallel. The physical meaning of the 
expression (V Xu \V Xu ) is that, if instead of the scenario considered here, Alice had actually 



sent signal \v), Eve would get result À and Bob would get \u) (that is, a wrong result) 
with a probability equal to that expression. Therefore, we shall write 



(V\ u \V Xu ) = P\v d Xv and (V Xv \V Xv ) = P\ v (l - d. 



Xv) 



(16) 



where P Xv is defined as in Eq. (|), and d\ v is the probability that Bob gets a wrong result 
conditioned upon Alice sending \v) and Eve measuring A. The other terms in Eq. (|Ï2|) 
can be handled in the same way, and we finally obtain 



Xv 



d Xv (1 - dxu) + \ d Xu (1 - d. 



IXv 



(17) 



Let us develop the bound in Eq. (|T7|) further. By the geomètric mean - arithmetic 
mean inequality, we have 



{PxuPxvf 12 < HPxu + Pxv) = qx, 



li 



where the first equality holds if P\ u = Px v , and where Eq. (|5|) was used. Let us now define 
dx and w by 



dxu = d x + w and d Xv = d\ — w. 



(19) 



The square bracket in Eq. ( p!7|) is easily seen to be an even function of w, which has its 
maximum value at w — 0, that is, when dx u = dx v = dx- That is to say, the bound 
reaches a maximum when the probability of detectable disturbance is identical for each 
of the conjugate basis vectors. We thus have 



Gx<2[dx(l-d x )} 1/2 . 



(20) 



It follows that Eve's information gain averaged over all outcomes is bounded by the 
expression 



G = £ qx G x < 2 £ q x [d x (1 - d x )} 1/2 . 



(21) 



Since the function [x(l — x)} 1 ^ 2 is concave, we have JÏ4 



Y^qxldxil-dx^^lDil-D)] 1 



/2 



(22) 



where D = J^Qxdx is Bob's observable error rate, i.e., the one averaged over all of Eve's 
outcomes. Equality holds only if all the d x are equal to D. Thus, finally, 



G xy <2[D uv (l-D uv )} 1 /\ (23) 

where the indices have been introduced to emphasize that Eve's information gain refers 
to signals sent in the xy basis, and Bob's error rate refers to signals sent in the uv basis. 

In exactly the same fashion as above, we can derive a bound on the information gain 
with respect to the the xy basis in terms of the disturbance inflicted upon the uv basis: 

G U v < 2 [D xy (1 - D xy )} 1/2 . (24) 



Equations (g^) and (|24|) teli us that Eve's maximal information gain, for given error 
rate caused to Bob in the conjugate basis, is bounded in a simple way The main goal 
of this section, however, is in finding an analogous bound on the mutual information /, 
defined by Eq. (|H]). The latter can be expressed more simply by writing 

Q x x = (l + r x )/2 and Q yX = (1 - r A )/2, (25) 

since these two expressions sum to unity. We then have 

1 = \ E 9a [(1 + r x ) ln(l + r x ) + (1 - r A ) ln(l - r A )]. (26) 

A 

Note that 

rx = QxX - Q y x = ±G X , (27) 
by virtue of Eq. (0). We can therefore write, instead of Eq. (p6|) , 

I = \ E ?a [(1 + Gx) ln(l + G x ) + (1 - Gx) ln(l - G x )]. (28) 

A 

To obtain a bound on /, it is convenient to define a function 

<f)(z) = (1 + z) ln(l + z) + (1 - z) ln(l - z). (29) 
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Since (f>'(z) = ln[(l + z)/(l — z)\ is positive for < z < 1, we see that the right hand side 
of Eq. (|28|) will increase if we replace Ga by a larger expression, such as the right hand 
side of Eq. (pÜ|). Therefore, 



2 A /oí A (l-oí> 



(30) 



In Appendix A, it is shown that 2yx{\ — x) is a concave function of x. It follows, just 
as in Eq. (E2), that 



2a/D,.,, (1 - D. 



(31) 



where subscripts have been added, as in Eq. (|23"D, to emphasize that the information gain 
and error rate refer to signals sent in two different bases. Likewise 



Iuv <\4> 



2jD xy (1 - D xy ) 



(32) 



is the counterpart of Eq. (^4)). 

Necessary and sufficient conditions for Eqs. ([H]) and (32) to hold as equalities are 
derived easily by tracing back through the chain of inequalities that brought them about. 



Let us focus on Eq. fl3~I|) . To begin with, the concavity of <fi 2Jx(l — x) is strict, so all 
the d\s must be equal; thus, in view of the remark following Eq. (|Ï9|) , we have 



d\ u d\ v d\ D uv . 



Similarly, Eq. QT8D can be a strict equality only if 



(33) 



P\u — P\v — Ça- 



(34) 

Equality in Eq. ( |T2"D means that both (U\ U \V\ U ) and {U\ V \V\ V ) are real and have the same 
sign 

<j A = sign((E7\u|Vxu) + (U\ v \Vx v )), 

= sign (P Xx - P Xy ) = sign (Q xX - Q yX ) , (35) 

Finally, equality in Eq. ([15]), and its analog with u replaced by v, means that \U\ U ) is a 
múltiple of \V\ U ), and \U\ V ) is a múltiple of \V\ V ). Thus 



(V Xu \V Xu )=fx 2 (U Xu \U Xu ), 



(36) 
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and 

(U Xv \U Xv ) = v 2 (V Xv \V Xv ) , (37) 

for some real numbers \x and v. 

Combining these results gives the necessary and sufficient conditions for equality in 
Eq. (RTÍ): for every À, 



\V Xu ) = e x J-^-\U Xu ) (3Í 



1 — D 



II c 



and 



\U Xv ) = e x ^ T ^ r \V Xv ), (39) 
where e x = ±1. 

The corresponding conditions for equality in Eq. fl32|) are derived in an analogous way. 
Namely, if Eve uses a POVM {F x } for gaining information about the uv basis — which is 
different from the POVM {E x } used for the xy basis — then the conditions that must be 
satisfied are: 



and 



|A '^ = ^ iï^k v (41) 

with 

7a = sign (P Xu - P Xv ) = sign (Q uX - Q vX ), (42) 
and 



\X Xx ) = B X ®^F X \X), \Y Xx ) = B X ®^JF X \Y), 

\X Xy ) = B y ®JF x \X), \Y Xy ) = B y ®y/F X \Y). (43) 

In the cryptographic setting, the fact that Eve can adapt her measurement to the basis 
that Alice reveals, leads one to question whether there may be a single interaction between 
Eve's probe and Alice's qubit that saturates both Eq. ( [31]) and Eq. (j32|) . We address the 
achievement of these bounds in the next section. 
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III. ATTAINABILITY OF BOTH CONJUGATE BASIS BOUNDS 



In this section, we show how Eve can optimize her strategy to attain the bounds in 
Eqs. (|3lD and (^) with both D xy and D uv fixed independent ly. The train of thought that 
led to the present solution is a long and complex one. First, we performed a "brute force" 
numerical optimization, similar to the one in Ref. ||. The result was found to saturate 
the bound on Eve's overall information about both bases (still to be derived in the next 
section). This led us to look for an exact analytic solution satisfying Eqs. ([38]) and (|39|), 



and (^) and fl41|) , first with equal error rates, and then with independent error rates. The 
one described below, for independent error rates, was obtained with a certain amount of 
guesswork. For the case of equal error rates, as in Section IV, there is a symmetrization 
procedure that leads directly to a solution. It is easy to check that the solution here is 
correct, but the extent to which it is unique (aside from trivial changes of basis and of 
phase) remains unknown. A quantum circuit embodying the optimal strategy is described 
in the following paper [[RJ . 

Let us fix both D xy and D uv . A natural ansatz for an optimal interaction on Eve's part 
is that when Alice sends a signal in the xy basis, Bob receives a simple mixture of the 
same two basis vectors; when Alice sends a signal in the uv basis, Bob receives a simple 
mixture of these two basis vectors. That is, Bob's density matrix is always diagonal in 
the basis chosen by Alice. Then, owing to Eq. ([33]) and the analogous condition for the 
xy basis, the Schmidt decompositions for the post-interaction states must be of the form 



|*> = sJl-D xy \x)\Q + ^D xy \y)\Q, 

\Y) = Jl-D xy \y)\Q + jD^\x)\Q, (44) 



and 



\U) = ^J\-D uv \u)\Z u ) + JdZ\v)\Q, 

\V) = ^1-D uv \v)\Q + Jd^ u \u)\Q, (45) 
where each pair and \Q) are normalized vectors that are orthogonal to each other: 

(ZM = (QC V ) = <&IC«> = <&IC«> = o- 

The remaining relations between the and \Q) cannot be chosen arbitrarily. For 
instance, the orthogonality of \X) and \Y) requires that 

(L\Cy) + (Q\Q=o. (46) 
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Moreover, Eqs. (0) and ([3]) imply that 



2^l-D uv \i u ) = ^i- Dxy {\Ç x ) + \Q) + ^D xy {\( x ) + \Q y 

2^/dZ\Cu) = y/1 - D xy - \Q) + (\Q - \Q) , (47) 

and similar relations for and \( v ). These in turn, through (£ U |C«) = (£,v\(v) — 0, lead 
to 

Re((UCy)-{QQ) = 0, (48) 
and 

(1 - D xy ) Im ((4|e,>) + Im ((dC,)) = 0. (49) 

These requirements still leave us considerable freedom in the choice of Eve's interaction 
with Alice and Bob's qubit. 

Since Alice's input states only involve real coefíicients, it is plausible that complex 
numbers are not necessary for describing Eve's optimal probe. We thus assume that all 
inner products between the various and \Q) are real numbers. Then Eqs. ([46]) and 
(|48l), when combined, indicate that {£ x \(y) — {(x\£,y) — 0. 

A particular choice for Eve's interaction that is adequate for our needs can now be 
specified. Recali that Eve's probe never need have more than a four-dimensional Hilbert 
space. That is to say, Eve's probe may be taken to be two qubits. It is therefore convenient 
to introduce the same bases for each of Eve's qubits that we introduced for Alice's qubit, 
namely xy and uv. In terms of these basis vectors, we may further construct two Standard 
(maximally) entangled bases for the two qubits: a Bell basis |Ï5| with respect to xy 

\*%) = (\x)\x)±\y)\y))/V2 

l*£> = (\x)\y)±\y)\x))/V2, (50) 

and similarly a Bell basis with respect to uv consisting of and \^u V ). 

In terms of the Bell basis vectors for Eve's probe, we may choose the interaction in 
such a way that 



|U = ^l-D uv \<$> + x y) + \JD uv \% y ), 

\Q = y/l-D uv |$+ ) - JÏÏZ |$~ ), 

\C y ) = sJi-d uv \^ v ) + \[dZ\K v )- (51) 

13 



With respect to the conjugate inputs, the interaction takes a similar form: 



IU = yJl-D xy \^ v ) + ^D xy \^ v ), 

iu = ^1-^1$+)-^!$-), 

IU = ^/í-^J^U + v^l^)- (52) 

The second set of vectors is, of course, related to the first — as it must be by unitarity— 



through relations such as in Eq. (47). Note that neither collection of relative states 
is orthonormal. Hence the set of density operators available to Eve after the probe's 
interaction — i.e., the set of quantum states from which she gains information about Alice's 
signal — is a noncommuting set. 

To see that this interaction is optimal for Eve, we need only find optimal POVMs 
{E x } and {F x } — one for each basis xy and uv — to use under these assumptions. Then 
the optimality of the whole procedure can be checked either by testing the validity of 
Eqs. (|38|)-(|4"1~|) , or simply by checking directly that the bound is attained. We opt for the 
former of these here. In Sect. IV, we shall use a direct check for a different set of |U and 

IU- 

Suppose Alice announces that a signal from the xy basis was sent to Bob. Then a 
natural choice for the observable Eve should measure is the one that minimizes her error 
in guessing Alice's signal, i.e., the one that maximizes G in Eq. (pi). The corresponding 



basis is well known |16], [13] : it simply is the one that diagonalizes the Hermitian operator 

i \y — Px Pyi (53) 

where 

Px = Tr Mice (\X)(X\) = (1 - D xy )\i x )(i x \ + Dxy\(x)((xl (54) 
and likewise for p y . The corresponding eigenprojectors of T xy are then given by 

E X = \E X ){E X \, (55) 
where 

\E ) = \x)\x), \E 1 ) = \y)\x), \E 2 ) = \x)\y), \E 3 ) = \y)\y). (56) 
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Arbitrary vàlues, 0, . . . 3, have been assigned here to the label À. 

Similarly, we make the analogous guess for Eve's measurement in the case that Alice 
reveals the uv basis; namely, we use the eigenprojectors 



F X = \F X )(F X \ (57) 
of the operator 

r w = p u - Pv, (58) 

where the density operators p u and p v are partial traces of \U) and \V), respectively 
Again, it is easily verified that the appropriate eigenvectors are: 

\F ) = \u)\u), \F 1 ) = \v)\u), \F 2 ) = \u)\v) \F 3 ) = \v)\v). (59) 

It should be noted that the measurement optimal for minimizing the error in a guess 
of the state's identity is generally noi the same as the measurement for maximizing the 



mutual information about the state ||17|| . Thus there is no automàtic guarantee that, 
even with the optimal interaction for Eve's probe, the measurements listed above will be 
adequate for achieving the maximum possible mutual information. Nevertheless for the 
case at hand, as will be seen shortly, circumstances have worked out in our favor. 

With all the pieces in place, checking the optimality of the interaction given by Eqs. (33) 



and fl5"T|) and the measurement given by Eq. (|56|), is just a question of checking that 
Eqs. (^)- (|4ï|) are satisfied. 

We start by examining the vectors defined in Eq. ( TU) ) using the projectors onto the 
vectors of Eqs. (|56|). Note that in this case y/Ex = Ex is a matrix of rank 1. Therefore, 
B u ® Ex projects onto a one-dimensional subspace of the qubit-probe Hilbert space, so 
that \Vxu) and \U\ U ) are parallel. Likewise \V\ V ) and \U\ V ) are parallel. Working out the 
scaling factors between the parallel vectors is a matter of applying the projectors to the 
expressions in Eq. (ffi3). For example, 



\U lu ) = B U ®E 1 \U) = Jl- A«,(£ilUH|£i> 



D uv JD xy \u)\E 1 }/V2, (60) 
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and \Vi u ) is given by the same expression except that a/1 — D uv is replaced by y/D uv . 
Hence Eq. (|38D is satisfied for A = 1 with e\ = +1. One can work out the other cases in 
the same way, and show that 

e = +1, ei = +1, e 2 = -1, e 3 = -1. (61) 

Consequently, the measurement corresponding to Eq. provides a mutual information 
I xy given by the right side of Eq. ([31]). It is similarly straightforward to verify Eqs. (|40| ) 



and (41) by applying projectors of the type B x (g) F\ and B y ® F\ to the expressions in 
Eq. ([Uf) , to form the quantities defined in Eq. (|43f) . 

Hence there exists a definite choice of qubit-probe interaction, namely Eqs. (ü)-(@3), 
which, together with two distinct measurement strategies, based upon Eqs. ( ^6]) and ( |59| ) 
according to the basis announced by Alice, allows Eve to saturate the bounds in Eqs. (|3Ï| ) 
and fl32| ) simultaneously, for arbitrary choices of D uv and D xy . 

As a final point, it is intriguing to note the following. If Eve's concern were only to 
guess the state Alice prepared — and not maximize her mutual information — then, clearly, 
it is enough for her to bin the outcomes of her measurement two by two. That is to 
say, if Alice sends a signal in the xy basis, then Eve upon receiving either outcome Eq 
or E\ should guess that the state \x) was sent; upon receiving either E 2 or E 3 , she 
should guess that \y) was sent. These choices will minimize her probability of making 
an incorrect guess. Similarly, she should guess \u) when she finds either F Q or Fi and 
\v) when she finds either F 2 or F 3 . Interestingly, Eq. (|6~Ï"D along with Eqs. (|38D and 
(p9|) (and similarly for the conjugate basis) reveals that such a binned measurement is 
also sufficient for maximizing Eve's mutual information. Moreover, this fact has another 
remarkable consequence: regardless of which basis Alice used, after Eve's interaction, she 
can completely ignore the first qubit of her probe. All the accessible information about 
Alice's signal is contained in the second qubit. Thus, while two qubits in Eve's probe 
are required for producing a minimal disturbance interaction with Alice's qubit, only one 
qubit plays a role in the final informat ion-gat her ing process. Also see the discussion in 



the following paper [10 . 
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IV. OPTIMAL EAVESDROPPING STRATEGY 



We are finally in a position to describe the eavesdropping strategy that is most relevant 
to quantum cryptography with the BB84 protocol. Namely, we should like to know Eve's 
best average mutual information for a fixed average disturbance across the two bases xy 



and uv. This is given by combining the two results of Eqs. ( plf ) and fl32|) . Fixing the 
average disturbance to be 

D = \{D xy + D uv ), (62) 

and defining 

G = \{G xy + G uv ) and I=\{I xy + Iuv) (63) 

for the average information gain and mutual information, respectively, we can again use 

2jx(l - ; 



the concavity of the functions [x(l — x)] 1 ^ 2 and (j) 2Jx(l — x) to obtain 

G <2[D(1-D)} 1 / 2 , (64) 
and 



I<y[2y/D(l-D)\. (65) 
Equality can be achieved in either of these bounds only if 

D xy = D uv = D. (66) 

The result is plotted in Fig. 3. As intuitively expected, the average error is the same in 
both channels. If it were not so, different error rates for xy and uv signals would be a 
telltale indication that a clumsy eavesdropper is tampering with the communication line. 

The derivation of Eq. ( |6~5|) as given above may seem long and arduous. This is due to 
the generality of the previous sections: Section III encompasses strategies that produce 
asymmetric disturbances in the two conjugate bases and the bounding argument of Sec- 
tion II can, with slight modification, be generalized to nonconjugate bases and unequal 
prior probabilities for those bases. To more firmly place the physics of the optimal eaves- 
dropping strategy in Eq. (pq ) within context, we now sketch an alternate derivation based 
on a symmetrization argument. 
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The starting point of the new argument is to notice that for any eavesdropping proce- 
dure Eve chooses to use, there exists a symmetrized strategy leading to the same average 
information J, and same or lesser average disturbance D. For each one of the signals sent 
by Alice, the mixed states Bob receives can be made to be of the form 

PBob = (1 - 2L>) PAlice + D 1, (67) 

as if Alice's signals were merely diluted by mixing them with a random component. A 
formal proof of this result is given in Appendix B. 

Therefore with no loss of generality we can obtain Eve's ultimate bound on information 
versus disturbance by studying symmetric strategies. Note, however, that this may come 
at the cost of adding extra degrees of freedom to Eve's setup: without these, we would 
not be able to enact the required random orientation. For instance, if Eve's probe were 
restricted to consist of a single qubit, as in Ref. @], there would be no way to carry out this 
symmetrization. However, by making no a priori restrictions on Eve's probe, symmetrized 
strategies can always be covered within our formal framework. In particular, there must 
exist an optimal strategy on Eve's part that gives Eqs. (|44j ) and ([45]) with D xy = D uv = D. 

Again, on physical grounds, it is plausible that the Schmidt states in Eve's probe 



are real (not complex) superpositions with respect to some basis, as in Eqs. (33) and 
(fi5|). (Actually it can be checked that no new result is obtained by introducing complex 
coefficients. For the sake of brevity, however, we consider only real coefhcients in the 
following.) Then running through the same argument as presented between Eqs. (|46|) and 
(P5|) and in the following paragraph, we have 

(UQ = (Q(y) = (ClCv) = folCr) = o. (68) 

These requirements are enough to ensure that the set of relevant \Ç X ), \( x ), and 
\C y ) can all be parameterized by two real numbers. There are now many possibilities open. 
Instead of fl^Ip, we may try a solution that looks simpler, such as 

|£b) = \x)\x), 
\Cx) = \x)\y), 

\£ y ) = (cosa|x) + sma\y))\x), 

\Q = (cos(3\x) + sm(3\y))\y). (69) 
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It then follows from {( u \(u) = 1 that 

D= 1 - CQS " - . (70) 
2 — cos a + cos jj 

Let us consider the case where Alice announces that the xy basis has been used. Then 
the two density operators that Eve must distinguish are 

p x = (1-D)\Ç X )(Ç X \+D\Q(( X \, 

p y = (l-D)\£ y ){Q + D\Q(Ç y \. (71) 

The optimal information gathering measurement for these two states proceeds as follows: 
Eve first performs a preliminary step of distinguishing the vectors — rather than the density 
operators — by measuring the second qubit, because the set of are orthogonal to the 
set of The set of will occur with probability (1 — D); the set of \Q) will occur 
with probability D. Thereafter, distinguishing the density operators p x and p y becomes 
a question of distinguishing the (equiprobable) pure states in the appropriate set. The 
optimal information gathering measurement in either case is defined by the basis that 
straddles the two nonorthogonal vectors that must be distinguished fT5| . In the two 
cases, this leads to an information gain on Eve's part given by []Ï9 , |T7j 



iç = |(1 + sina) ln(l + sina) + |(1 — sinct) ln(l — sina), 

J ç = |(l + sin/3)ln(l + sin/3) + |(l-sin/3)ln(l-sin/3). (72) 
On average, Eve's information gain is given by 

1 = (l-D)Iç + DI c . (73) 

Eve's optimal strategy is obtained with the vàlues of a and f3 that maximize / when D 



is fixed. One can readily check that this occurs when a = fi, with sina = 2yD(l — D). 
By symmetry, the same result holds when Alice reveals that the uv basis has been sent 
(though the detailed protocol for measuring the two qubits is slightly different in that 
case). We again find Eq. (^) as the optimal information-disturbance tradeoff. 

For small vàlues of D, the bound given in Eq. (|65|) becomes / < 2D. At the other 
extreme, the maximum value of / is ln 2 (that is, one bit): Eve can achieve this result 
simply by keeping Alice's qubit for herself, and sending to Bob a dummy qubit in a random 
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state. She then has all the information, and Bob gets a 50% error rate. This state of affairs 
should be contrasted to optimal eavesdropping on the quantum cryptographic protocol 



B92 of Bennett [[Ï8j , that uses only two nonorthogonal quantum states. There one finds, 
for small vàlues of D, that / oc y/D |§. This suggests that the BB84 protocol is inherently 
more secure against eavesdropping than the B92 scheme: for a given disturbance, Eve 
obtains more information about the identity of Alice and Bob's bit in B92 than in BB84. 

To this point, we have hardly discussed what Alice and Bob can do with the knowledge 
of Eq. fl6q) and Eve's optimal strategy (given our restrictions to the problem). Generally, 
the users of the BB84 protocol will not have a noiseless communication channel available 
for their use. If Alice and Bob use a noisy channel, the only truly safe way for them to 
proceed is to assume that all the noise is due to some Eve using an optimal eavesdropping 
scheme. Then, if this Eve has not been too invasive, Alice and Bob may still be able to 
recover a safe cryptographic key by methods of privacy amplification. 

As discussed in Refs. [p|, pi, a good indicator of Alice and Bob's capability of recovering 
a safe cryptographic key in the face of Eve's presence can be formulated in terms of 
various mutual informations. In particular, one must compare the mutual information 
Iab between Alice and Bob (after Eve's eavesdropping) to the mutual informations Iae 
and Ieb between Alice and Eve and between Eve and Bob, respectively. If the natural 
noise in the channel is such that Iab — ^^{Iae, Ieb}, for any potential eavesdropper, 
then Alice and Bob should consider the channel inappropriate for quantum cryptographic 
key generation. They should either move to another channel or give up their quest. 

Note that for the optimal scheme derived here Iae = Ieb an d both are given by the 
right hand side of Eq. (p5|). On the other hand, as far as Alice and Bob are concerned, 
Eve's action has merely produced a binary symmetric channel between them, with a 
data-flipping rate D. Therefore [^T] 



Iab = In 2 + D \nD + (1 - D) ln(l - D) = \ 0(1 - 2D). (74) 



Comparing this expression to Eq. fl55]), we can find the threshold noise level for a poten- 
tially safe channel; namely, it occurs when 



1 — 2D\ = 2JD(l — D). (75) 
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That is to say, when 



D > \ - \V2~ 0.146447, (76) 

the channel should be considered too risky for safe key generation. 

Finally, let us discuss an intriguing connection between optimal eavesdropping and the 
violation of Bell inequalities. A slight modification of the BB84 protocol can be built 
upon Alice and Bob sharing an entangled pair of qubits (such as the singlet state \*&~)) 
rather than Alice physically sending a qubit to Bob |ÏT] . Alice and Bob simply randomly 
perform measurements in the xy and uv bases, and announce their measurement — though 
not their result — to each other. Whenever their measurement bases differ, they discard 
the bit; whenever the bases are the same, they know that they should have opposite bits 
if there were no eavesdropping or noise on the channel. An eavesdropper in this scenario 
might be imagined to interact with one qubit of the EPR pair in an attempt to gather 
information about Alice and Bob's final key. 



Ekert |I2| , in a related scheme, pointed out that an appropriate test for eavesdropping 
might be a check on whether the Bell inequalities are violated. This can be enacted in 
our scenario by allowing Bob to rotate his measuring apparatus by 22.5 degrees. Then 
Alice and Bob will be in position for testing the Standard Clauser-Horne-Shimony-Holt 



(CHSH) inequality p2| . The correlation signature S in that inequality cannot exceed 2 
for theories based on local hidden variables. However, in the modified BB84 protocol just 
discussed, S can reach 2v^2 when there is no eavesdropping involved. The effect on S 
of our optimal eavesdropping strategy is equivalent to the one caused by a data-flipping 
error with probability D in one of the detectors |23j : 



S = 2y/2(l-2D). (77) 

It is noteworthy that the CHSH inequality ceases to be violated, i.e., S < 2, just when 
D satisfies Eq. (|76|) . This confirms the conjecture of Gisin and Huttner |7j and to some 
extent vindicates the idea of Ekert. We believe this connection between privacy amplifi- 
cation requirements and Bell inequalities may have fundamental implications in quantum 
information theory and is worthy of further investigation. 
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APPENDIX A. PROOF OF CONCAVITY 



Consider the function 



4>{z) = (1 + z) ln(l + z) + (1 - z) ln(l - z). 



(78) 



We have 



0%*)=ln[(l + *)/(!-*)], 



(79) 



and 



<P\z) = 2/{l-z 2 ). 



(80) 



Now let 



z(x) = 2[x(l -x)) 



1/2 



(81) 



whence 



z '(x) = (l-2x)/[x(l-x)} 



1/2 



(82) 



and 




\[x{l-x)]-^ = -A/z\ 



(83) 
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We have 

d(j) d<f> dz 
dx dz dx' 

whence 

d 2 ó dó d 2 z d 2 ó ídz^ 2 



dx 2 dz dx 2 ^ dz 2 \dxj ^ ^ 

Combining all these equations together, we obtain 

dx 2 z 3 ( 1 — z) ^ ^ 

Recali that < z < 1. The parenthesis on the right hand side of (86) vanishes for z — 0, 
and its derivative is 2 — 2/(1 — z 2 ), which is always negative. Therefore (d 2 (j)/dx 2 ) < 0, 
and it follows that the function 0[z(x)] is concave. 



APPENDIX B. SYMMETRIZED EAVESDROPPING 



The purpose of this Appendix is to prové Eq. flB7|). Consider the representation of 
Alice's four states on a Poincaré sphere. They lie on the equatorial plane, at the ends of 
two perpendicular diameters. The states that Bob receives are also represented by four 
points. The latter are located inside the sphere, since these are mixed states. 

Eve proceeds as follows: before eavesdropping, she randomly rotates Alice's signal by 
0, 45, 90, or 135 degrees in the plane of Fig. 1 (that is, she rotates the Poincaré sphere by 
0, 90, 180, or 270 degrees around its polar axis). After the eavesdropping interaction, she 
rotates the signal back, and then sends it to Bob. This causes no change to the average 
amount of information she gathers, but equalizes the disturbances to Alice's four states. 
By virtue of this symmetrization, the set of Bob's states is now invariant under rotations 
of the Poincaré sphere by 90, 180, and 270 degrees. Therefore, the four points representing 
these states form a square, lying in a plane paral·lel to the equatorial plane. If the sides 
of that square are not parallel to those of the square formed by Alice's states, they can 
be made parallel by a further rotation around the polar axis. This does not change Eve's 
/, but this reduces Bob's D, thus improving the eavesdropping method. 
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Moreover, the four points that represent peob can be made to lie on the equatorial plane 
itself, not on a parallel plane above or below it. If they are not on the equatorial plane, 
this means that the eavesdropping interaction produces a circularly polarized component 
in the outgoing state (recali that the poles of the Poincaré sphere represent pure circular 
polarizations). This is indeed possible if the unitary interaction of the probe involves 
complex coefficients. In that case, Eve ought to have two available probes, whose inter- 
actions are described by complex conjugate unitary matrices. The second probe yields 
Bob's states on the other side of the equatorial plane. By randomly choosing one of the 
two probes, Eve can bring Bob's states back to the equatorial plane (where Alice's states 
are). This changes neither I nor D. 

This argument proves that the result stated in Eq. (|67]) can indeed be achieved by 
symmetrizing any eavesdropping strategy. In particular, there must also be an optimal 
strategy giving rise to Eq. floT|). 
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FIG. 1. The orthogonal bases xy and uv, that satisfy Eq. (Q), are called conjugate to 
each other. 

FIG. 2. Information vs. disturbance for various eavesdropping methods. 

FIG. 3. Eve's information gain G and mutual information / (in bits) as functions of 
Bob's error rate D. 
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- optimum without waiting for basis [5] 

- optimum for 2-dimensional probe [7] 

- optimal eavesdropping: Eq. (65) 
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